We are using Developer Edition Version 8.9 (build 43852)
Our builds take approximately 3-4 times as much time when using sonarqube vs not. Would be great if i can get some help diagnosing this.
Sonarqube counts 181,000 lines of code
The msbuild phase of the process takes 6 min with sonarqube as opposed to 2.
A slightly old report analyzer shows the following. I can get a newer one
Hello @Mark_Oueis . Welcome to the community forum!
It would be nice to get a newer one, we are constantly making performance improvements and the list of worst-performing rules changes from time to time. Seeing how rules behave in the wild helps us prioritize which performance improvement to do next.
It would help to get verbose logs for the END step (please run SonarScanner.MSBuild.exe begin /k:"MyProject" /d:sonar.verbose=true as the BEGIN step, and please attach the output of END step).
To demistify what weâre doing during these steps, the analysis is done in two steps:
during the build - our native Roslyn analyzers are running for most of the rules (~250 in the default QP); also UCFG files (modelling the control flow of the program) are created for the vulnerability injection analysis which is done in the END step
during the END step - our security engine runs over the UCFG files to find vulnerabilities - we currently have 12 rules that detect injection vulnerabilities - this is expensive and it depends on how many âsourcesâ (sources of user input) and âsinksâ (DB access, file access etc) there are in the program.
Here is the end of the logs for sonar end - somewhat redacted. Attached is the full sonar end logs sonarendlogs.txt (89.1 KB)
17:24:30.639 DEBUG: Adding normal issue S1128: 1000s of files
17:24:32.164 INFO: Found 5 MSBuild C# projects: 3 MAIN projects. 2 TEST projects.
17:24:32.164 INFO: Sensor C# [csharp] (done) | time=16844ms
17:24:32.164 INFO: Sensor C# Tests Coverage Report Import [csharp]
17:24:32.165 DEBUG: Analyzing coverage with wildcardPatternFileProvider with base dir âC:\Jenkins\workspace_DEVOPS-2728-snarqube-build-perf.â and file separator ''.
17:24:32.166 DEBUG: Pattern matcher extracted prefix/absolute path âC:\Jenkins\workspace_DEVOPS-2728-snarqube-build-perf.\Coverage\Report.htmlâ from the given pattern âCoverage\Report.htmlâ.
17:24:32.166 DEBUG: Pattern matcher returns a single file: âC:\Jenkins\workspace_DEVOPS-2728-snarqube-build-perf.\Coverage\Report.htmlâ.
17:24:32.166 DEBUG: The current user dir is âC:\Jenkins\workspace_DEVOPS-2728-snarqube-build-perfâ.
17:24:32.166 INFO: Aggregating the HTML reports from âC:\Jenkins\workspace_DEVOPS-2728-snarqube-build-perf.\Coverage\Report.htmlâ.
17:24:32.212 DEBUG: dotCover aggregator: collected 1584 report files to parse.
17:24:32.212 INFO: Parsing the dotCover report *1000s of files
17:24:33.206 INFO: Adding this code coverage report to the cache for later reuse: C:\Jenkins\workspace_DEVOPS-2728-snarqube-build-perf.\Coverage\Report.html
17:24:33.218 DEBUG: Analyzing coverage after aggregate found â1583â coverage files.
17:24:33.219 DEBUG: Skipping *1000s of files
17:24:33.946 DEBUG: The total number of file count statistics is â1583â.
17:24:33.946 INFO: Coverage Report Statistics: 1583 files, 1154 main files, 1154 main files with coverage, 429 test files, 0 project excluded files, 0 other language files.
17:24:33.946 INFO: Sensor C# Tests Coverage Report Import [csharp] (done) | time=1782ms
17:24:33.946 INFO: Sensor Zero Coverage Sensor
17:24:34.028 INFO: Sensor Zero Coverage Sensor (done) | time=82ms
17:24:36.082 INFO: CPD Executor 714 files had no CPD blocks
17:24:36.083 INFO: CPD Executor Calculating CPD for 2310 files
17:24:36.083 DEBUG: Detection of duplications for 1000s of files
17:24:37.562 INFO: CPD Executor CPD calculation finished (done) | time=1479ms
17:24:37.574 DEBUG: SCM revision ID â59d447821b8b9477623271ad20bc7730fb84153bâ
17:24:37.574 INFO: Load New Code definition
17:24:37.588 DEBUG: GET 200 http://SOMEIP/api/new_code_periods/show.protobuf?project=gc-api&branch=DEVOPS-2728-snarqube-build-perf | time=14ms
17:24:37.589 INFO: Load New Code definition (done) | time=15ms
17:24:43.580 INFO: Analysis report generated in 4341ms, dir size=32 MB
17:26:46.751 INFO: Analysis report compressed in 123171ms, zip size=12 MB
17:26:46.751 INFO: Analysis report generated in C:\Jenkins\workspace_DEVOPS-2728-snarqube-build-perf.sonarqube\out.sonar\scanner-report
17:26:46.751 DEBUG: Upload report
17:26:47.429 DEBUG: POST 200 http://SOMEIP/api/ce/submit?projectKey=gc-api&characteristic=branch%3DDEVOPS-2728-snarqube-build-perf&characteristic=branchType%3DBRANCH | time=677ms
17:26:47.431 INFO: Analysis report uploaded in 680ms
17:26:47.433 DEBUG: Report metadata written to C:\Jenkins\workspace_DEVOPS-2728-snarqube-build-perf.sonarqube\out.sonar\report-task.txt
17:26:47.433 INFO: ANALYSIS SUCCESSFUL, you can browse http://SOMEIP/dashboard?id=gc-api&branch=DEVOPS-2728-snarqube-build-perf
17:26:47.433 INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
17:26:47.433 INFO: More about the report processing at http://SOMEIP/api/ce/task?id=AXmAhAf87-YLrK4ZV3Nn
17:26:47.435 DEBUG: Post-jobs :
17:26:47.439 INFO: Analysis total time: 6:33.387 s
17:26:47.442 INFO: ------------------------------------------------------------------------
17:26:47.442 INFO: EXECUTION SUCCESS
17:26:47.442 INFO: ------------------------------------------------------------------------
17:26:47.442 INFO: Total time: 6:34.764s
17:26:47.643 INFO: Final Memory: 61M/1706M
17:26:47.643 INFO: ------------------------------------------------------------------------
Process returned exit code 0
The SonarScanner CLI has finished
To help visualize the difference⌠Here is the exact same build WITHOUT sonarqube vs with sonarqube
The injection vulnerability analysis I previously mentioned didnât actually take place due to some optimizations inside it (there were no entrypoints found in the application).
However, what it took time was actually to read the metadata files we generated for analysis (type information and UCFG files containing the application control flow graph information). This suggests either that:
you may want to look into optimizing the disk access on your build machines (either hardware or software)
you may want to look into your antivirus software configuration (and exclude the folder with the source code / where the analysis is done)
And regarding the other report, please bear in mind that we removed (because their performance problems) from the default Quality Profile the following two rules that you have activated:
UnnecessaryUsings is RSPEC-1128 (S1128) and itâs a code smell - you can remove it from the QP if you think itâs not worth the cost. CbdeHandlerRule refers to the rule RSPEC-3949 Calculations should not overflow (S3949), which currently does not have a good cost/benefit ratio in our opinion, hence we removed it from the SonarWay default Quality Profile.
The SymbolicExecutionRunner is running multiple bug-detection rules using the Symbolic Execution technique and we believe they are worth the costs given the benefit they bring.
Regarding this, given that you have in your Quality Profile rules that we removed from the default Quality Profile - your QP may be out of sync with the default one, which means you may not have the latest rules we have been adding - you may want to visit what rules you include in your QP and add the newest ones to benefit from them. Weâve added many vulnerability and security hotspot detection rules in the past year and it would be a pity not to benefit from them.
I hope this helps. Please let us know if you manage to improve your build times.
